FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

Transcription

1 FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS VERSION 1.0 October 20, 2016 MONTH 2015

2 Table of Contents 1. PURPOSE 3 2. BACKGROUND 3 3. TIMELINESS AND ACCURACY OF TESTING OVERVIEW 3 4. PENETRATION TESTING REQUIREMENTS 3 5. VULNERABILITY SCAN REQUIREMENTS 4 6. SECURITY CONTROL TESTING REQUIREMENTS 5 7. POLICY FOR TREATING HIGH VULNERABILITIES 5 2

3 1. PURPOSE This document outlines the timeliness and accuracy of testing requirements for evidence associated with an authorization package prior to a Cloud Service Provider (CSP) entering the FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) process. CSPs will only enter the JAB P-ATO process after they have been prioritized by the JAB. To ensure timeliness of testing it is recommended that CSPs begin full testing of their cloud systems until after they have been prioritized. 2. BACKGROUND The JAB grants provisional authorizations for cloud systems they believe could be authorized government-wide by any other Executive level department or agency. This requires a rigorous review of the risk posture of these cloud systems. Thus, the testing evidence associated with the authorization package must accurately reflect the current risk posture of these cloud systems. 3. TIMELINESS AND ACCURACY OF TESTING OVERVIEW There are three categories of evidence associated with testing in an authorization package: (1) Penetration Testing, (2) Vulnerability Scanning, and (3) Security Controls Testing. The following sections describe the three categories of testing as well as how CSPs can ensure the associated testing evidence is considered current by the JAB. 4. PENETRATION TESTING REQUIREMENTS Penetration Tests determine exploitable security weaknesses in an information system. They may also evaluate an organization s security policy compliance, its employees security awareness, and the organization s ability to identify and respond to security incidents. All Penetration Tests must comply with the FedRAMP Penetration Testing Guidance 1. At the beginning of the JAB P-ATO process, as part of the authorization package, a FedRAMP accredited Third Party Assessment Organization (3PAO) must submit a 1) Penetration Test plan and a 2) Penetration Test report on behalf of their CSP. In order to ensure a Penetration Test is current, the following must apply: When submitting a completed authorization package to FedRAMP to begin the JAB P-ATO process the Penetration Test cannot be older than 6 months. NOTE: CSPs should ensure the Penetration Test is executed as close as possible to a CSP s submission of the authorization package. Once a JAB P-ATO is granted, CSPs must complete a new Penetration Test at a minimum once a year by a 3PAO

4 Accuracy of Testing Requirements: Penetration Tests must accurately reflect the current security capabilities and services of the cloud system being authorized. If there are any significant changes to the security capabilities of the cloud system since the completion of the last Penetration Test, the JAB may require a new Penetration Test. Examples include: new ports, protocols, or services. 5. VULNERABILITY SCAN REQUIREMENTS Vulnerability scans are a primary source of evidence for continuously monitoring a CSP s risk posture and enabling authorizing officials to continue to authorize the use of a CSP system. FedRAMP requires CSPs to complete vulnerability scans in accordance with the FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide 2. At the beginning of the JAB P-ATO process, as part of the authorization package, the CSP must 1) submit vulnerability scans provided by the 3PAO as a part of the authorization package 2) submit monthly scans provided by the CSP. These scans provide the JAB with a view into a CSP s ability to remediate findings and provides input for the JAB s authorization decision on the CSP s risk posture. To ensure the vulnerability scans are current, the following must apply: When submitting a completed authorization package to FedRAMP to begin the JAB P-ATO process, the scans completed by a 3PAO and reflected in the Security Assessment Report (SAR) must be current within 120 days. Additionally, CSPs must submit scans and a Plan of Action and Milestones (POA&M) current within 30 days prior to the date of the JAB P-ATO process kickoff. Monthly Scanning Requirements during JAB P-ATO process: During the JAB P-ATO process, vendors must submit monthly vulnerability scans, in accordance with security controls RA-5 and RA-5 (5), and matching POA&Ms, in accordance with security control CA-5. These vulnerability scans and POA&Ms will be treated as monthly continuous monitoring scans that identify all high, moderate, and low vulnerabilities on a CSP s system. In order to be eligible for a P-ATO, a vendor must have monthly scans and POA&Ms demonstrating: 1. There are no late high vulnerabilities on the system open for longer than 30 days from the date of discovery. 2. The CSP provides a POA&M to remediate all open high vulnerabilities within the 30-day remediation timeframe

5 3. The CSP remains in compliance with the applicable requirements in the FedRAMP P-ATO Management and Revocation Guide These scans must use the same scan tools and configurations as the scans run by the 3PAO reflected in the SAR. 6. SECURITY CONTROL TESTING REQUIREMENTS FedRAMP requires CSPs to complete security control implementation testing required by the FedRAMP Security Controls Baseline 4. Each security control within the baseline must be tested by a 3PAO with the appropriate evidence and results documented within the authorization package. To ensure the testing of security controls by a 3PAO are current, the following must apply: When submitting a completed authorization package to FedRAMP, security control testing evidence must be current within: 120 days, if the system does not have an existing FedRAMP Agency authorization. 12 months, if the system has an existing FedRAMP Agency authorization. Accuracy of Testing Requirements: All security control testing evidence must accurately reflect the current implementations. All security control testing evidence must be completed by the same 3PAO. 7. POLICY FOR TREATING HIGH VULNERABILITIES The JAB does not accept any open and unmitigated high vulnerabilities found during testing documented in the SAR. There are almost always high risks identified by vulnerability scans during a 3PAO assessment. Any high findings found during the JAB P-ATO process should be closed within 30 days. In order to close any high findings identified by vulnerability scans for a SAR submission, 3PAOs can do one of the following: Perform targeted scans to verify closure of a high vulnerability (preferred), or Gather evidence to verify closure of a high vulnerability. 3PAOs may not do a complete re-scan of the environment unless that scan identifies zero additional vulnerabilities (at low, moderate, or high)